Inserisci Infobox

Linux Network configuration

Configuration of networking and security on different Linux distro

Fedora - Network configuration
Autore: al - Ultimo Aggiornamento: 2009-04-21 16:14:28 - Data di creazione: 2004-09-10 19:22:36
Tipo Infobox: DISTRO - Skill: 3- INTERMEDIATE

Network configuration on Fedora is quite similar to the one for other versions of RedHat Linux, besides the standard files, the main configuration is done on /etc/sysconfig/network where is defined the hostname and can be placed the default gateway and in the files of the /etc/sysconfig/network-scripts/ directory.

The TCP/IP network setup is done with the script /etc/init.d/network, with obviously must be started before other network services on a connected machine.
The official graphical configuration tool is system-config-network (Menu System Settings - Network), from here is possible to define the IP parameters for all the interfaces found on the system (tab Devices, modifies the /etc/sysconfig/network-scripts/ifcfg-interface and /etc/sysconfig/networking/devices/ifcfg-interface files), the IP of the DNS servers (tab DNS, modifies /etc/resolv.conf), the static host IP assignement (tab Hosts, modifies /etc/hosts).
Fedora supports also user's profiles, with differnet network settings. The Network Configuration tools easily let the user define a profile and its parameters, the relevant system files are placed in the directory /etc/sysconfig/networking/profiles/profilename/. Currently Fedora does not allow the definition of a profile at boot time, when the machine is started the default "Common" profile is used, to switch to a custom one either launch system-config-network graphical tool and select your profile or type system-config-network-cmd -p profilename --activate.
RedHat provides other network configuration tools:
netconfig is an old text configuration tool, which is obsolete and may be used to a fast configuration;
system-config-network-tui is the text version of the graphical Network Configuration Tool.
system-config-network-druid (Menu System tools - Internet configuration wizard) is a guided wizard which helps an easy configuration of Ethernet, modem, ISDN, DSL, wireless configuration.

Firewall configuration
Red Hat stores the firewall configuration in the /etc/sysconfig/iptables file which is formatted in order to be used by the iptables-restore command. Firewalling is managed with the /etc/init.d/iptables script which can be followed by arguments like start to activate firewalling, stop to disable it, panic to shutdown any Internet access, status to view the current iptables rules.
A simple and not extremely flexible configuration tool is system-config-firewall, which is adeguate for a desktop machine but surely not for a router/firewall.

Suse 9: Network configuration
Autore: al - Ultimo Aggiornamento: 2004-01-14 19:59:31 - Data di creazione: 2004-01-14 19:59:31
Tipo Infobox: DISTRO - Skill: 3- INTERMEDIATE

Network configuration on Suse has substantially evolved since version 8.0 and resembles the one found in various other Linux distributions.
As usual Yast2 can be used to fully configure network devices nad TCP/IP settings and since we presume you already know how to do it with a graphical interface, let's see, more deeply the involved files.

Configuration files
These are the systems's configuration files for every network interface where "*" can be the name of the inteface (eth0, eth1, lo, ppp0...), its MAC address (ex: 00c09f2dc8a4) or indicate what hardware is used (usb, pcmcia).
The main parameters used in these files are:
BOOTPROTO - Can be static (IP configured manually), dhcp (IP oubtained through DHCP)
IPADDR BROADCAST NETMASK NETWORK - Define typical IP parameters: IP address, broadcast, netmask and network address
MTU - Defines the Maximum Transfer Unit (the size of every IP packet). Default on ethernet devices is 1500.
STARTMODE - Indicates the to activate the interface: onboot (at system's boot), hotplug (when a pluggable network device is inserted), manual (manually).
Other parameters can be used and can vary according to the interface type.

Contains various, well commented, variables that are applied to every interface, they include also what actions can be done when the interface status is changed. The same values can be specified in the single /etc/sysconfig/network/ifcfg-* files, for a more granular control on the single interfaces.
/etc/sysconfig/network/dhcp, similarly, sets parameters related to dhcp use (logging, lease time, timouts, modification of system's settings, wait time at boot and so on).
/etc/sysconfig/network/wireless sets and describes the various parameters that can be applied to wireless devices (wieless mode, essid, frequency, sensibility, encryption key...). As usual they can be used in the ifcfg files of the single wireless devices, but it's useful to know the options than can be used.

Defines all the (general) static routes. It's possible to specify routes exclusively related to the activation of single interfaces with the files /etc/sysconfig/network/ifroute-interface.
The format of this file is:

Defines, as in most Unixes, the address of the DNS server to be used by the system.
Some services (pppd, ipppd, dhcpclient, hotplug, pcmcia, pptpclient) can temporarily modify this file in order to use, according to the new connection established, the appropriate DNS server. This is done by Suse's nice shell script /sbin/modify_resolvconf which has various options to handle and manage different dynamic entries in /etc/resolv.conf and /etc/named.conf.

As in most Unixes, in this file you can statically assign IP addresses to host names. You can also use /etc/networks for IP networks. The resolver by default first checks this file, before querying the DNS servers in /etc/resolv.conf. This order and other settings about how the system assigns names to resources can be changed (as in every Linux) in /etc/host.conf (old configuration file used by libc4 and libc5 linked programs) or /etc/nsswitch.conf (used by every recent program linked with glibc libraries).

Contains the hostname of the system, used by various startup scripts.

SuSE features typical Linux network related commands as ifconfig route netstat ip and other commands which can be found in various distros such as ifup (can be invoked also by the symlinks ifstatus or ifdown giving status info on the specified interface or shutting it down) .
Similarly to RedHat's service command, SuSE provides a set of scripts, or better symlinks, to manage to init scripts for the various services:
/sbin/rcnetwork restart restarts the network services as would do the command /etc/init.d/network restart.

Suse 9: Firewalling
Autore: al - Ultimo Aggiornamento: 2004-01-14 23:17:08 - Data di creazione: 2004-01-14 23:17:08
Tipo Infobox: DISTRO - Skill: 3- INTERMEDIATE

Suse 9's firewall management is in the hands of the SuSEfirewall2 package and (obviously) based on iptables. The package provides a main script /sbin/SuSEfirewall2 and various initialization and configuration scripts that  present a user friendly logic that hides the raw syntax of the iptables command.
The configuration can be done with YaST2 graphical interface or editing directly the main configuration file /etc/sysconfig/SuSEfirewall2.

The questions asked in YaST2 have their equivalent in the variables configured in this file, which define various (well commented) parameters function-oriented such as:
FW_SERVICES_EXT_TCP="http ssh telnet"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# FW_HTB_TUNE_DEV="ppp0,125"
#   FW_HTB_TUNE_DEV="ppp0,250"

The init scripts are divided in three stages: /etc/init.d/SuSEfirewall2_init, /etc/init.d/SuSEfirewall2_setup and /etc/init.d/SuSEfirewall2_final  which are easily managed by the rcSuSEfirewall2 script.
Sample configurations and some docs can be found in /usr/share/doc/packages/ and, while it's still possible to use the iptables command in the interactive shell or in custom scripts, the easy and fast choice is surely to comform to the SuSEfirewall2 logic.
The SuSEfirewall2 command provides some nice options:
SuSEfirewall2 start|stop Applies or removes the iptables.
SuSEfirewall2 status Show the status of the iptables (provides the output of iptables -L -nv).
SuSEfirewall2 test Simulates the rules, logging all the packets that would be dropped.
SuSEfirewall2 debug Prints to stdout the iptables commands that could be applied, without actually executing them.

Networking in Linux
Autore: al - Ultimo Aggiornamento: 2004-09-08 00:04:48 - Data di creazione: 2004-09-08 00:04:48
Tipo Infobox: DESCRIPTION - Skill: 2- JUNIOR

The basic commands used in Linux are common to every distro:
ifconfig - Configures and displays the IP parameters of a network interface
route - Used to set static routes and view the routing table
hostname - Necessary for viewing and setting the hostname of the system
netstat - Flexible command for viewing information about network statistics, current connections, listeing ports
arp - Shows and manages the arp table
mii-tool - Used to set the interface parameters at data link layer (half/full duplex, interface speed, autonegotiation...)

Many distro are now including the iproute2 tools with enhanced routing and networking tools:
ip - Multi purpose command for viewing and setting TCP/IP parameters and routes.
tc Traffic control command, used  for classifying, prioritizing, sharing, and limiting both inbound and outbound traffic.

Every distro has its own configuration tool that operate on variously defined configuration files. Some of them are common: /etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, /etc/services, /etc/protocols

Some, typically the ones where are defined IP addresses and routes, change. Here are some relevant files for various distro, their syntax may vary according the scripts used to handle them:

/etc/network/interfaces - Interfaces and network parameters     

RedHat Graphical interface: redhat-config-network
/etc/sysconfig/network-scripts/ifcfg-* - Configuration files for each interface. The same file can be found, divided per profile, in /etc/sysconfig/networking/devices/*
/etc/sysconfig/network - Hostname, default gateway, general configuration
/etc/sysconfig/static-routes - Static routes (if any)     

SlackWare Graphical interface: Netconfig
/etc/rc.d/rc.inet1 - IP and network parameters
/etc/rc.d/rc.inet2 - Network Services configuration     

Mandrake Graphical interface: Drakconnect
/etc/sysconfig/network-scripts/ifcfg-* - Configuration files for each interface. The same file can be found, divided per profile, in /etc/sysconfig/networking/devices/*
/etc/sysconfig/network - Hostname, default gateway, general configuration
/etc/sysconfig/static-routes - Static routes (if any)     

/etc/conf.d/net - Ip network and interfaces parameters
/etc/conf.d/routes - Static routes     

SUSE Graphical interface: Yest2
/etc/sysconfig/network/ifcfg-* - Configuration files for each interface.
/etc/sysconfig/network/config - General network configuration.

Debian - Network Configuration
Autore: neo - Ultimo Aggiornamento: 2004-09-14 14:24:19 - Data di creazione: 2004-09-14 14:24:19
Tipo Infobox: DISTRO - Skill:

Directory configuration files container  is /etc/network, here you find all file used by ifup and ifdown command to manage the network interfaces.
A single file /etc/network/interfaces to setting up all interfaces, follow a example:
eva:/etc/network# cat interfaces
Configuration options for loopback
auto lo
iface lo inet loopback
Configuration options for eth0
auto eth0
iface eth0 inet dhcp

File/etc/network/options contain configuration string to enable/disable network parameters at kernel runtime as ip_forward or syncookies,Example:
eva:/etc/network# cat options

You can manage network with /etc/inet.d/networking script  or ifup / ifdown commands and current state of network interfaces are stored in /etc/network/ifstate.
You can setting up hostname editing the /etc/hostname file and mapping ip and hostname with  /etc/hosts, if you want setting a DNS, how in all UNIX  system, edit /etc/resolv.conf.

Slackware - Network configuration
Autore: al - Ultimo Aggiornamento: 2004-09-13 21:56:43 - Data di creazione: 2004-09-13 21:56:43
Tipo Infobox: DISTRO - Skill: 3- INTERMEDIATE

The configuration and setup scripts for networking are a place where Slackware distinguishes itself from other distros.
The proper kernel modules to support ths system NICs are loaded by /etc/rc.d/rc.modules and, if setup has successfully recognized local hardware, /etc/rc.d/rc.netdevice.

The IP configuration parameters are placed in /etc/rc.d/rc.inet1.conf, they can be edited manually or configured by the netconfig tool.
As usual, /etc/resolv.conf contains the IP of the DNS servers and /etc/hosts the static hostname-IP settings.
The /etc/rc.d/rc.inet1 takes care to activate and configure the network interfaces and default gateway according to the user's configuration, the script /etc/rc.d/rc.inet2, executed later, mounts eventual NFS and SMB shares, starts the portmapper, starts firewalling (/etc/rc.d/rc.firewall start), activates IP forwarding (/etc/rc.d/rc.ip_forward start), starts the Inetd superdaemon (/etc/rc.d/rc.inetd start, configured by /etc/inetd.conf with services TCP wrapped according to the limits placed in /etc/hosts.allow and /etc/hosts.deny), the OpenSSH daemon (/etc/rc.d/rc.sshd start), the Bind name server (/etc/rc.d/rc.bind start), NIS (/etc/rc.d/rc.yp start) and NFS server (/etc/rc.d/rc.nfs start).
All these services are started if the relative scripts are executables, to disable one of them, chmod the script to be not executable (rough but effective).

Wireless networking is managed via the /etc/rc.d/rc.wireless, /etc/rc.d/rc.wireless.conf and /etc/rc.d/rc.wlan scripts.
The tool pppsetup cab be used to configure dial up networking, it operated on the files in .

Ethernet Bonding: mode 1 Active-Backlup
Autore: stargazer - Ultimo Aggiornamento: 2009-05-16 12:40:42 - Data di creazione: 2009-05-16 12:29:51
Tipo Infobox: DESCRIPTION - Skill:

In questo infobox verra' descritto come configurare in bonding le interfacce di rete di un sistema Linux (Debian nel caso specifico). Tramite questa tecnica e' possibile raggruppare piu' interfacce fisiche in un'interfaccia logica in modo da distribuire il carico su piu' schede anziche' una sola oppure mettere in atto meccanismi di fault-tolerance.    

In particolare, esistono diverse modalita' di bonding, caratterizzate da meccanismi di funzionamento differenti:    

- Mode 0, Balance RR    
- Mode 1. Active-Backup    
- Mode 2, Balance XOR    
- Mode 3, Broadcast    
- Mode 4, 802.3ad    
- Mode 5, Balance TLB    
- Mode 6, Balance ALB    

Nella configurazione descritta viene utilizzata la modalita' Active Backup, ove e' attiva una sola interfaccia, mentre l'altra resta in "standby" pronta a subentrare in caso di problemi alla scheda primaria. Questa modalita, inoltre, non richiede particolari modifiche alla configurazione degli switch coinvolti.    
La configurazione presentata viene al momento utilizzata per un bilanciatore dove ho voluto garantire un minimo di ridondanza al fine di erogare il servizio anche in caso di problemi alla scheda attiva in quel momento.    

Innanzitutto e' necessario installare il package ifenslave, che consente di aggiungere e rimuovere interfacce slave ad un device in bonding:    

apt-get install ifenslave-2.6    

Per potere configurare delle schede di rete in bonding, inoltre, e' necessario che nel kernel sia abilitato il supporto per questa funzionalita'. Nel caso di Debian Lenny il kernel standard include gia' un modulo per questa funzionalita' che puo' essere caricato con il comando modprobe bonding.    
In alternativa, al fine di automatizzare l'operazione ad ogni avvio del sistema e' preferibile inserire la seguente linea in /etc/modules:    
Il modulo, inoltre, richiede che gli vengano passati alcuni parametri sulla linea di comando di modprobe. Poiche' ho preferito fare in modo che esso venga caricato automaticamente al boot del sistema, tali opzioni sono state inserite nel file /etc/modprobe.d/arch/i386:    
alias bond0 bonding    
options bonding mode=1 miimon=100 downdelay=200 updelay 200    
L'opzione mode specifica la tipolgia di bonding da utilizzare (nel caso Active/Backup), miimon indica invece ogni quanti millisecondi il link di ogni slave viene verificato al fine di identificare eventuali failure. Infine downdelay e updelay indicano rispettivamente quanti millisecondi attendere prima di disabilitare uno slave dopo che sia stato verificato un link failure e quanto attendere prima di riabilitarlo dopo che il link sia ritornato disponibile.    
In caso siano necessarie piu' interfacce logiche in bonding, e' possibile aggiungere altri alias al file /etc/modprobe.d/arch/i386 (ad es. alias bond1 bonding.    

Una volta modificato il file eseguire il comando depmod -r.      

Infine, dopo avere abilitato il bonding e' necessario configurare l'interfaccia bond0 ed aggiungere le interfacce fisiche al bond con il comando ifenslave. Anziche' utilizzare ifconfig ed ifenslave da command line e' possibile modificare il file /etc/network/interfaces commentando le entries relative alle varie eth ed aggiungendo la parte riguardante l'interfaccia bond0:    
        auto bond0    
        iface bond0 inet static    
        up /sbin/ifenslave bond0 eth0 eth1    
        down /sbin/ifenslave -d bond0 eth0 eth1    
In questo modo la configurazione verra' memorizzata in modo da potere  essere riapplicata anche dopo eventuali reboot del sistema.    

Per verificare lo stato delle interfacce appartenenti al bonding e' possibile fare  riferimento al file /proc/net/bonding/bond0:    
Bonding Mode: fault-tolerance (active-backup)    
Primary Slave: None    
Currently Active Slave: eth1    
MII Status: up    
MII Polling Interval (ms): 100    
Up Delay (ms): 200    
Down Delay (ms): 200    

Slave Interface: eth0    
MII Status: down    
Link Failure Count: 0    
Permanent HW addr: 00:a0:d2:1c:2b:f9    

Slave Interface: eth1    
MII Status: up    
Link Failure Count: 0    
Permanent HW addr: 00:0b:cd:67:8c:1c    
Nell'esempio in questione e' possibile notare che l'interfaccia al momento attiva e' la eth1, mentre la eth0 e' invece scollegata, come si puo' evincere da MII status=down  

Infine, per testare il funzionamento del sistema, se si hanno entrambe le schede collegate, sara' sufficiente scollegare il cavo ethernet dalla scheda in quel momento in funzione e verificare se il sistema continui ad essere raggiungibile.    

La procedura illustrata prevede la modifica di alcuni file di configurazione presenti in una distribuzione debian GNU/Linux, in modo da rendere le modifiche al sistema permamenenti. In caso ci si volesse limitare a dei test dovrebbe essere possibile ottenere il medesimo risultato caricando il modulo bonding da linea di comando e gestendo il bonding tramite ifenslave. Personalmente non ho mai fatto test in tal senso, ma i comandi da dare dovrebbero essere i seguenti:    
modprobe bonding  mode=1 miimon=100 downdelay=200 updelay 200    
ifconfig bond0 netmask up    
ifenslave bond0 eth0    
ifenslave bond0 eth1    

Privacy Policy